---
layout: docs
page_title: SSH - Secrets Engines
description: |-
  The Vault SSH secrets engine provides secure authentication and authorization
  for access to machines via the SSH protocol. There are two modes to the Vault
  SSH secrets engine including signed SSH certificates and one-time passwords.
---

# SSH secrets engine

Name: `ssh`

The Vault SSH secrets engine provides secure authentication and authorization
for access to machines via the SSH protocol. The Vault SSH secrets engine helps
manage access to machine infrastructure, providing several ways to issue SSH
credentials.

The Vault SSH secrets engine supports the following modes. Each mode is
individually documented on its own page.

- [Signed SSH Certificates](/vault/docs/secrets/ssh/signed-ssh-certificates)
- [One-time SSH Passwords](/vault/docs/secrets/ssh/one-time-ssh-passwords)

All guides assume a basic familiarity with the SSH protocol.

## Removal of dynamic keys feature

Per [Vault 1.12's deprecation notice page](/vault/docs/v1.12.x/deprecation),
the dynamic keys functionality of this engine has been removed in Vault 1.13.

## API

The SSH secrets engine has a full HTTP API. Please see the
[SSH secrets engine API](/vault/api-docs/secret/ssh) for more
details.
